Disabling Worms With Honeypots and Active Immunization

Honeypots are ideally suited to intercept traffic from adversaries
that randomly scan the network. This is especially true for Internet
worms that use some form of random scanning for new targets,
e.g. Blaster or Nimda.

We fight Internet worms using the Honeyd framework and actively
counter worm propagation by immunizing infected hosts that contact our
virtual honeypots. Analogous to Moore et al., we can model the effect
of immunization on worm propagation by using the classic SIR epidemic
model. The model states that the number of newly infected hosts
increases linearly with the product of infected hosts, fraction of
susceptible hosts and contact rate. The immunization is represented
by a decrease in new infections that is linear in the number of
infected hosts.

The figure on the right shows a simulated example that tracks the
change in the susceptible, infected and immunized populations.

Our findings are going to be made available as research paper in the
near future. For questions, please contact Niels Provos.

For example, if we assume 360,000 susceptible machines in a 32-bit
address space, set the initial worm seed to 150 infected machines and
each worm launches 50 probes per second. The simulation measures the
effectiveness of using active immunization by virtual honeypots. The
honeypots start working after a time delay. The time delay represents
the time that is required to detect the worm and install the
immunization code. We expect that immunization code can be prepared
before a vulnerability is actively exploited. The two figure on the
right show the worm propagation resulting from a varying number of
instrumented honeypots. The top graph shows the results if
the honeypots are brought online an hour after the worm started
spreading. The bottom graph shows the results if the honeypots
can be activated within 20 minutes. If we wait for an hour, all
vulnerable machines on the Internet will be infected. Our chances are
better if we start the honeypots after 20 minutes. In that case, a
deployment of about 262,000 honeypots is capable of stopping the worm
from spreading.

Alternatively, it would be possible to scan the Internet for
vulnerable systems and remotely patch them. For ethical reasons, this
is probably unfeasible. However, if we can reliably detect an
infected machine with our virtual honeypot framework, then active
immunization might be an appropriate response. For the Blaster worm,
this idea has been realized by
Oudot.